Tag Archives: blackhat

For the last several months I’ve been performing research on techniques attackers could use for performing accounting fraud in popular accounting systems. This research coincides with a whitepaper that SecureState has developed entitled “Cash is King: Who’s Wearing Your Crown?” To perform this research I have collaborated with a coworker of mine, Brett Kimmell, who is the manager of SecureState’s Risk Management practice. Brett and I will be presenting the findings from our research at the Black Hat security conference in Abu Dhabi on December 6. This is by far the most unique topic I’ve researched in that we’ve combined penetration testing techniques with ways to commit fraud and more importantly, showing real world accounting fraud prevention. Brett Kimmell is a CPA and has many years of experience with accounting and fraud detection. He was also the CFO for a large non-profit organization. Combine this skill set with penetration testing and cutting edge malware development and you have research that truly demonstrates attacks that literally hit the “bottom line” of a company. As a penetration tester I find that gaining access to customer data, passwords, credit cards, PHI and other standard fare (ie: Trophies) are just the beginning of what can damage a company. In this research we take it to the next level and show the damage that can be done where it truly hurts a company: the financial system. It’s my hope is that this is just the start of showing organizations’ true business risk through advanced penetration testing.

In our work we’ve focused our research on Microsoft Dynamics Great Plains (GP). GP is the most popular accounting system used by small to midsized businesses across the world. In our research we show how attackers can commit undetectable fraud by manipulating accounting systems like GP. These attacks are quite different than finding and exposing a 0-day in software, as our research is centered on creating attacks (including custom created malware) that specifically targets a company’s accounting processes. The attacks we illustrate in our research show that technical controls cannot be solely relied on to prevent fraud. Non-technical accounting controls must be implemented and proper oversight maintained to be effective in combating modern fraud.

Next week we will be releasing our whitepaper as well as “Mayhem”, which is proof-of-concept code designed to hijack and manipulate the accounting processes within Microsoft Dynamics GP. Mayhem was created by the talented Spencer McIntyre of SecureState’s Research & Innovation Team. Mayhem is actively being developed but even in its current state (which we will demonstrate at Black Hat) will make you take a hard look at how a company needs to defend against this type of threat. Similar to how banking Trojans have targeted banking consumers in recent years, Mayhem is the first type of attack that we know of that targets the accounting systems of a company. While we focus on Microsoft Dynamics GP in our research, it can be easily ported to other types of accounting systems. Stay tuned next week as we reveal details about Mayhem and how our research puts a new focus on accounting controls.

Sorry for the long delay on posting the slides from the presentation that myself, Josh Abraham and Kevin Johnson did at Black Hat USA and DEF CON 19. I’ve uploaded the slides from DEF CON to SlideShare (you can also download a copy there as well) and below are the links to the tools and white paper. I’m currently in the process of working with OWASP to get the testing methodology put into the next version of the OWASP testing guide (v4). If you have any comments or bug reports for the tools and vulnerable web services please let Josh and Kevin know, they would appreciate it!

Share and Enjoy

I am on my way back from Black Hat and Defcon 16 in Las Vegas with a three hour delayed flight so this is probably a good time to talk about Black Hat and Defcon 16.

To start off…this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!

I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to “live tweet” the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest…(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It’s the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale’s talk on “Owning the users with the Middler”. I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay’s talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn’t finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons…I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a “f***ton” of people! Oh, and the badges were pretty cool as well…once I waited in a long line for mine on day 2. The badge is actually a “tv-b-gone”…I could turn the TV on and off in my hotel room with the badge. Neat!

Speaking of podcasts…I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I’ll post a link if it is.

Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.

It looks like my plane just arrived…I hope to post more stuff on Black Hat/Defcon in the coming days.

Share and Enjoy

I thought I would throw my list into the mix of other Security Twits that are posting about talks they are either going to or wish they were going to at Black Hat this week. Most of my picks have a pentest perspective to them (a lot like CG’s over at Carnal0wnage). Here is my tentative list of talks I plan on attending:

If your a penetration tester, don’t miss this one…Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so…the man has stalkers! ) and I’m looking forward to hear about new and unique ways to use Nmap.

11:15 to 12:30Black Ops 2008: Its The End Of The Cache As We Know It – Dan Kaminsky

Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan’s talks) but well worth attending.

13:45 to 15:00Client-side Security – Petko D. Petkov

Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.

15:15 to 16:30
Bluetooth v2.1 – a New Security Infrastructure and New Vulnerabilities – Andrew Lindell

This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will “show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long”. Sounds interesting.

16:45 to 18:00
MetaPost Exploitation – Val Smith

This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on “Tactical Exploitation” and it was outstanding.

After hours…
The Pwnie Awards 2008

If I’m not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.

August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks – Shawn Moyer and Nathan Hamiel

I was tossed between this one and “Encoded, Layered and Transcoded Syntax Attacks”. However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I’ll jump in the other talk.

While not pentest specific…this one looks pretty interesting. The synopsis notes the following: “…we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election.” Sounds cool!

13:45 to 15:00
Hacking and Injecting Federal Trojans – Lukas Grunwald

The “infection proxy” demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker…with the amount of technical detail she usually covers…it’s tough to keep up.

15:15 to 16:30
…Continuing “Hacking and Injecting Federal Trojans”. If it seems to suck, I’ll be at the following:

We all have seen a rise in this type of attack over the last year. It’s true…there isn’t a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what’s behind them and help with introducing some new prevention methods.

Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even…it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I’ll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter…or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I’ll be there representing the Security Justice podcast.

Stay tuned for my Defcon 16 “talks to attend” post in the next few days.

Share and Enjoy

Subscribe

My last Tweet

Find me on Facebook

Disclaimer

This is a personal weblog. The opinions expressed here represent my own and not those of my employer.